Cloud computing and information management

Cloud computing poses both benefits and risks for your agency. Gains in cost, efficiency, accessibility and flexibility need to be weighed up against risks associated with security, privacy and information management.

Current government policy requires agencies to consider cloud solutions as a priority when rolling out or replacing ICT infrastructure, applications or services. You should do a risk assessment to identify and manage jurisdictional, governance, privacy, technical and security risks before engaging a cloud service provider. Information management issues must be addressed in contracts with cloud service providers.

Legislative context for business information in the cloud

Australian Government information that is created, stored and managed in the cloud is subject to the Archives Act 1983. Under the Act, all data and information your agency creates, uses or receives as part of its business is a Commonwealth record. Your agency is responsible for managing the storage, access, alteration, transfer or destruction of its business information.

Your agency must also comply with the requirements of the Freedom of Information Act 1982 and the Privacy Act 1988. You must take contractual measures to ensure cloud service providers do not breach the Australian Privacy Principles.

Issues to assess when considering cloud computing

You need to assess the following information management issues when planning to engage a cloud service provider:

Scope

Consider carefully what business information will reside in the cloud. Will restricted data, such as personal information, be stored in the cloud? The higher the value of material, the more controls need to be implemented to ensure the integrity, authenticity and reliability of information.

Ownership

Your agency needs to retain ownership over its business information stored and managed in the cloud.

Storage location

You need to specify storage location prior to procuring a cloud service model or negotiating contracts with a vendor.

Australian Signals Directorate (ASD) has endorsed a number of cloud providers and services on its website. The Department of Finance also published a list of approved suppliers on its Cloud Services Panel.

Preservation

Business information stored and managed in the cloud needs to be preserved so that it is accessible for as long as required.

Your cloud service provider must conduct regular integrity checks and ensure that long term and permanent business information is migrated, as needed.

Retention and disposal

Cloud service providers must only dispose of business information, including copies, under instruction from your agency.

Responsibilities

Clarity around agency and cloud service provider's responsibilities is critical to managing risks and maintaining security confidence within your agency. Uncertainty about what the provider is responsible for and what the agency is responsible for should be addressed through contract provisions.

Expertise

The adoption of cloud services requires specific digital skills and expertise. You should include information management specialists in the planning and implementation of cloud computing.

Contractual requirements for business information in the cloud

It is essential that contracts with cloud service providers ensure that business information created, stored and managed in the cloud is:

authentic, accurate and trusted

complete and unaltered

secure from unauthorised access and deletion

findable and readable

related to other relevant business information

You need to ensure that the software application used to manage information in the cloud has adequate and appropriate information management functionality.

Authentic, accurate and trusted

Storage

Cloud service providers may store business information on multiple servers in multiple locations, including across different countries.

Your business information may be seized or accessed without your knowledge if it is stored outside Australia, or it may be caught up in discovery or other legal action affecting other information sharing the same server.

Knowing the location of your information and assessing the associated risks helps ensure your business information is appropriately secure. This is fundamental to an informed risk assessment.

Audit management

Unauthorised access can diminish the evidential value and authenticity of business information. To maintain accurate and trusted information, it is essential that the cloud service provider:

Audit logs have also evidentiary value. Your contract should specify what audit information needs to be kept and for how long and ensure that you have access to audit logs.

Security of ICT systems

Data and network security and physical security ensure that business information remains authentic, accurate and trusted. The Australian Government Protective Security Policy Framework and the Australian Government Information Security Manual set out security requirements for government ICT systems.

You should ensure that controls and protections appropriately match the value of the business information.

Contract tip: Storage location, as well as ICT security, should be outlined in the contract with your cloud service provider.

Complete and unaltered

Migration, conversion and refreshment are inevitable processes in managing digital information. If not done properly, there is a risk that the information may become incomplete or damaged. This affects its value as evidence.

You need to assess the migration, conversion and refreshment techniques used by the cloud service provider to ensure that business information is not inadvertently altered or incomplete. Service providers should obtain permission from your agency prior to conversion or migration of information.

If certain conditions are met, you can destroy business information that is no longer needed once it has been copied, converted or migrated. The National Archives permits this destruction through the 'General Disposal Authority for Source Records that have been Copied, Converted or Migrated'.

Any alteration of business information should be authorised by your agency and documented.

Secure from unauthorised access and deletion

Your contract should specify who has the right to access information and when.

When business information is accessed and used, further transactional information is created. This transactional information also belongs to your agency and you should ensure that the cloud service provider does not use this information for their own purposes. Access restrictions should be commensurate with the value of the information.

Cloud service provider's viability

If a cloud service provider ceases business, access to business information may be lost either temporarily or permanently. The new service provider may not honour previous arrangements and your agency may not know who has accessed its information. This may compromise your ability to ensure business information is secure from unauthorised alteration or deletion.

Risk of incomplete destruction of business information

Destruction or transfer of business information stored or created in the cloud is subject to authorisation by the National Archives.

Cloud service providers often create multiple copies of the information they store for an agency, on geographically-dispersed storage media, to ensure that business information is not lost and is available to users. When they are due for destruction, you should ensure that all copies of information, including the ones kept on backup and other disaster recovery systems, are destroyed by the cloud service provider as appropriate.

If business information is not destroyed when required, it may be at risk of unauthorised access or other risks associated with over retention.

Third party subcontractors

Cloud services may involve layers of subcontractors. These subcontractors need to secure your business information in the same way as the contracted provider.

Contract tip: The cloud service provider should agree in the contract that it will comply with the security obligations of the Australian Government. If your agency has obligations to keep particular business information confidential, these obligations need to be included in the contract.

Findable and readable

Readability and usability of business information

Business information has little value if it is not readable. Some cloud service providers require clients to use particular formats and software. You should consider the risks this poses to ongoing usability of your information.

Business information returned to your agency must be in a usable format.

Impact of corrupted business information

There is always a risk that digital information may become corrupted in the event of network breaks, service disruptions or network congestion. If this happens, it can be difficult or impossible to access and use it. It is important for your agency and the cloud service provider to address the need for restoring corrupted business information.

It is important that the cloud service provider undertakes regular backups and that business continuity plans are in place for recovery of information.

Compatible metadata to identify and retrieve your agency business information

Metadata is the means by which information can be confirmed as complete, authentic, findable and usable. You also need to ensure that business information has sufficient metadata to satisfy access and retention requirements.

The Australian Government Recordkeeping Metadata Standard (AGRkMS) can help your agency meet its archival requirements by describing and maintaining findable and readable records. The Standard can also assist with grouping, organising and controlling the business information.

Metadata is itself information that needs to be managed and retrieved.

Impact of vendor lock-in

A cloud service provider may require you to use proprietary software and hardware. This may lock you into arrangements with that service provider because of the difficulty in retrieving business information in a format that can be migrated to another provider, or even to your own servers. The value of the information in those cases is severely reduced.

Contract tip: Contracts with cloud service providers should specify the format in which business information and associated metadata is returned to your agency. It should also specify formats used in storage and the migration processes. Preferably, the service provider should use open formats to support readability over time. Ensure there are provisions in your migration plan for transferring information with archival value from the cloud to the Archives.

Related to other relevant business information

Metadata maintenance and management

Mismanaged metadata may weaken the ability to link business information, thus diminishing its context.

Relationship between business information stored in the cloud and in-house

You should ensure that business information stored in the cloud is related to information stored in other locations and the connections between them are clear. Systems for managing information in the cloud and in-house should be complementary. This may mean that additional metadata needs to be applied to business information stored in the cloud to maintain its relationship links.

Contract tip: The contract with the cloud service provider should include minimum metadata requirements for the management of business information, as described in the Australian Government Recordkeeping Metadata Standard (AGRkMS).

More information

The Secure Cloud Strategy outlines a number of ways to help government agencies build understanding of cloud and confidence in using it, as well as growing the skills to transform old systems. The strategy is designed to prepare agencies for the shift to cloud and support them through the transition.

Cloud Computing Security describes the information security risks that need to be considered by agencies wishing to adopt cloud computing services. It also includes a list of cloud computing services endorsed by the Australian Signals Directorate (ASD).